Bharat Club IT Policy
Our commitment to responsible, secure, and lawful use of technology — protecting every member’s data and keeping our digital community safe.
The Bharat Club is committed to protecting the privacy, security, and integrity of all member information across every digital touchpoint — from our website and mobile app to social media and internal systems. This policy applies to all registered members (ordinary, associate, honorary, and life members), committee members, staff, volunteers, vendors, and anyone who accesses Bharat Club’s digital platforms.
What this covers
Our goals
Child Safety & Minor Protection
The Bharat Club is committed to providing a safe and appropriate digital environment for all users, with dedicated protections in place for children and minors across our mobile app, website, and all digital platforms. This commitment is aligned with the Apple App Store Children’s Category guidelines, the Google Play Families Policy, the Malaysian Personal Data Protection Act 2010 (PDPA), and the Communications and Multimedia Act 1998 (CMA). The following provisions form a binding part of our IT Policy and apply to all members, administrators, vendors, and any party who interacts with Bharat Club’s digital platforms.
Any minor under the age of 18 who wishes to register for the Bharat Club app or access member-exclusive digital services must do so with the prior written consent of a parent or legal guardian. This consent must be provided at the point of registration and retained on record by the club. Parents and guardians retain the right to access, review, correct, or request the deletion of their child’s personal data at any time by submitting a written request to our designated Data Protection Officer (DPO). The Bharat Club also supports the use of native parental control features available on iOS through Apple’s Screen Time and on Android through Google’s Family Link, and encourages parents to enable these controls for minor users.
Legal framework
| Legislation | What it means for us |
|---|---|
| Personal Data Protection Act 2010 (PDPA) | How we collect, process, and store your personal data |
| Computer Crimes Act 1997 (CCA) | Protection against unauthorised access and misuse of systems |
| Communications and Multimedia Act 1998 (CMA) | Standards for online content and digital communications |
| Electronic Commerce Act 2006 (ECA) | Legal validity of digital transactions and e-signatures |
| Digital Signature Act 1997 (DSA) | Governs electronic signatures used in member registration |
| Copyright Act 1987 (Amended 2012) | Protects our digital content, website materials, and intellectual property |
| Cybersecurity Act 2024 | National cybersecurity obligations and incident reporting requirements |
| Societies Act 1966 | Governs our registration and operations as a registered society |
| Malaysia National Cybersecurity Policy (NCSP 2020–2024) | National cybersecurity strategy and standards we align with |
Management committee
Sets the direction for all IT decisions, approves this policy and major IT changes, and ensures the club allocates adequate budget and oversight to maintain safe, reliable technology systems.
IT coordinator / appointed officer
Manages day-to-day IT operations, ensures system security and backups are in place, coordinates with external IT vendors, and reports all incidents to the Management Committee promptly.
Members & users — what we expect
Policy review cycle
This policy is reviewed annually by the IT Committee, or sooner if there are significant changes to Malaysian law, technology, or Bharat Club operations. All amendments require Committee approval, and all members are notified of material changes. Previous versions are archived for reference.
We collect only the information needed to manage your membership and communicate with you — nothing more. All data handling complies fully with the Personal Data Protection Act 2010 (PDPA) and the Electronic Commerce Act 2006.
Information we may collect
Our seven PDPA commitments
| Principle | Our commitment | How we implement it |
|---|---|---|
| General | Collect only for lawful, stated purposes | Registration form with clearly stated purpose |
| Notice & Choice | Tell you what we collect and why, before we collect it | Privacy notice displayed at registration |
| Disclosure | Never share your data with third parties without your consent | Written consent required for any third-party sharing |
| Security | Apply reasonable security measures to protect your data | Encrypted database and strict access controls |
| Retention | Keep data only as long as necessary | 3-year retention policy with annual purge review |
| Data Integrity | Ensure your data is accurate, complete, and current | Member self-service update portal |
| Access | Let you view and correct your own data at any time | Member login portal for viewing and updating data |
How long we keep your data
How we secure your data
All member data is stored on secured servers accessible only to authorised personnel. Passwords are hashed using industry-standard algorithms (bcrypt or SHA-256 minimum). Physical membership forms are kept in locked cabinets. Digital records are backed up weekly to a secure, off-site or cloud location. All data transfers use encrypted channels (TLS 1.2 or above).
Your consent & how to withdraw it
Your consent is always explicit — we never use pre-ticked boxes. Marketing communications require a separate opt-in from operational consent. You may withdraw your consent at any time via our online portal or by written notice. Withdrawing consent does not affect the legality of any processing that took place before withdrawal.
Access control
Every user accesses only the systems relevant to their role (Role-Based Access Control). Administrative access always requires multi-factor authentication (MFA). Shared or default passwords are never permitted. Access rights are reviewed every quarter and removed immediately when someone leaves a role or their membership ends. All access activity is logged and monitored.
Password requirements
Password managers are recommended for all committee members who handle IT systems.
What happens when a security incident occurs
Data backup & recovery
Devices & personal devices (BYOD)
All club-owned devices must be password-protected with screen locks enabled. Lost or stolen devices must be reported to the IT Coordinator immediately. Personal devices used for club activities are permitted provided club data is properly protected, devices are secured with a password or biometric lock, and club data is deleted when no longer needed. The club reserves the right to restrict access if a security risk is identified.
Email, messaging & collaboration tools
All official communications should use club-approved email or messaging platforms. Messages must remain respectful and professional at all times. Bulk emails and announcements require prior authorisation.
Encryption
Encryption is applied to protect sensitive information from unauthorised access or disclosure. As a community-based, non-profit organisation, we adopt reasonable and proportional encryption controls. While advanced enterprise-grade encryption may not always be practical, minimum accepted standards are always applied wherever personal or financial data is involved.
Software patches
Ownership & governance
The Bharat Club maintains sole ownership of its official website, registered under a .my or .com.my domain where applicable. Domain management and renewals are handled by the IT Committee with an annual review. The website displays our registered society name consistent with the Societies Act 1966. A dedicated Website Administrator is appointed to oversee all content and technical operations.
Content standards
All content published on the website must be factually accurate, non-defamatory, and respectful of all races, religions, and groups. Content must be reviewed and approved by an authorised committee member before it goes live. Financial matters, event registrations, and official club matters must be verified by the relevant officer. Copyrighted materials (images, videos, text) must only be used with proper licensing or attribution.
Website security measures
Cookies & tracking
A Cookie Consent Banner is shown to all visitors in compliance with PDPA 2010. Essential cookies operate without consent; analytics and marketing cookies require your explicit opt-in. A Cookie Policy page is published detailing all cookie types, their purposes, and opt-out mechanisms. Third-party tools such as Google Analytics are disclosed in our Privacy Policy.
Accessibility
Our website aims to comply with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. Content is made available in both Bahasa Malaysia and English wherever possible. Mobile responsiveness is mandatory across all website pages.
Mandatory pages on our website
The Bharat Club’s official mobile app is available exclusively through the Google Play Store (Android) and Apple App Store (iOS). No other sources are authorised. All app releases undergo internal QA and security testing before deployment.
Development standards
The app is developed following secure coding practices based on the OWASP Mobile Top 10 framework. The app’s version, developer information, and privacy policy are accurately reflected in the app store listing at all times.
Your privacy in the app
The app requests only the permissions it strictly needs — nothing more (Principle of Least Privilege). Location, camera, contacts, and other sensitive permissions are requested only with your explicit consent. All data processed through the app fully complies with PDPA 2010. Our in-app Privacy Policy is accessible at any time, both before and after account creation. All data transmitted via the app is encrypted using TLS 1.2 or higher.
Content policy
The app’s target age range is clearly specified. Adult-only content is strictly restricted. Any advertisements displayed within the app are child-friendly and appropriate for all users.
App security features
The app implements certificate pinning to prevent man-in-the-middle (MITM) attacks, and includes root/jailbreak detection to warn users of compromised device security.
Push notifications
We only send push notifications to members who have explicitly opted in. Notifications are always relevant, non-spammy, and limited to Bharat Club-related matters. You can manage your notification preferences at any time within the app settings. Notification data is never used for profiling or sold to third parties.
In-app payments (where applicable)
All in-app payment features comply with the Payment Card Industry Data Security Standard (PCI-DSS) and are processed exclusively via Payment Service Providers licensed under Bank Negara Malaysia guidelines. We never store your full card number, CVV, or sensitive payment credentials on your device or our servers. All payment receipts are accessible to you and retained for seven (7) years.
Our official channels
Bharat Club maintains official verified accounts on approved platforms including Facebook, Instagram, X (Twitter), YouTube, TikTok, and WhatsApp Official. All account credentials are managed by the IT Committee. At least two authorised administrators have access to each account. Personal accounts of committee members are never used to officially represent the club.
What we post — and what we don’t
Member conduct on social media
When discussing or representing Bharat Club on your personal accounts, please clearly distinguish your personal views from official club positions, avoid sharing confidential club information or internal deliberations, refrain from making statements that could embarrass or defame the club, and do not impersonate the club or its officials on any platform. Report any harmful content related to the club to the IT Committee immediately.
Sponsored & influencer content
Any sponsored or paid partnership posts must be clearly disclosed as #Advertisement or #Sponsored, and approved by the Bharat Club Committee before publication. The club does not engage in misleading commercial practices in violation of the Consumer Protection Act 1999.
Community moderation
Official social media pages are moderated by designated personnel. Comments that are abusive, violate community standards, or contain prohibited content are removed promptly. A Social Media Community Guideline is published and pinned on all official pages. Repeated violations may result in a member being banned from Bharat Club digital platforms.
WhatsApp & Telegram groups
Official club groups are managed by designated Group Admins from the committee. Members must not share fake news, political content, or personal data of others in these groups. Forwarding confidential club matters outside official groups is strictly prohibited. Group admins reserve the right to remove members who repeatedly violate group guidelines.
These guidelines apply to all IT resources provided by the Bharat Club — including Wi-Fi at club premises, computers, the website, mobile app, and all social media platforms.
You’re welcome to
Strictly prohibited
Consequences of violations
| Severity | Example | Outcome |
|---|---|---|
| Minor | Sharing unverified information | Warning and mandatory awareness training |
| Moderate | Harassment, repeated AUP breach | Temporary suspension of digital access |
| Severe | Hacking, data theft, fraud | Membership termination and police report |
When we engage external IT service providers, software vendors, cloud services, or contractors, we hold them to the same standards we hold ourselves. All engagements comply with applicable Malaysian laws and the club’s data protection obligations.
Vendor assessment
All vendors who process personal data on our behalf must sign a Data Processing Agreement (DPA) compliant with PDPA 2010. They must demonstrate adequate technical and organisational security measures. Cloud providers are assessed for data sovereignty — member data is preferably stored on servers in Malaysia or in countries with equivalent data protection laws.
What every vendor contract must include
Your rights under PDPA 2010
Submit any data access, correction, or complaint request in writing to our designated Data Protection Officer (DPO). We will respond within 21 days of receiving your request. Complaints about IT policy breaches or data misuse can be directed to the IT Chairperson. Unresolved complaints may be escalated to the Personal Data Protection Commissioner at pdp.gov.my.